Editorial

Ministers consider ban on ransomware payments for UK public bodies

It could become illegal for companies and services providing critical national infrastructure in the UK to pay ransomware demands in the event of a cyberattack, under new proposals from the Home Office.

Posted 15 January 2025 by Christine Horton


It could become illegal for companies and services providing critical national infrastructure in the UK to pay ransomware demands in the event of a cyberattack, under new proposals from the Home Office.

Proposals include banning all public sector bodies and critical national infrastructure, including the NHS, local councils, and schools, from making ransomware payments, in order to make them unattractive targets for criminals. This is an expansion of the current ban on payments by government departments.

Other large companies and very wealthy individuals could also be obliged to report all ransomware incidents to the National Crime Agency, in order to build up a register.

The Home Office is currently carrying out a three-month consultation on the plans.

“With an estimated $1 billion flowing to ransomware criminals globally in 2023, it is vital we act to protect national security as a key foundation upon which this government’s Plan for Change is built,” said Security Minister Dan Jarvis.

“These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate.”

Carried out largely by Russian affiliated criminal gangs, ransomware attacks continue to pose the most immediate and disruptive threat to the UK’s critical national infrastructure, according to the National Cyber Security Centre’s (NCSC) Annual Review 2024. They also cause more disruption and pose a greater risk than other cybercrimes.

Recent cyberattacks have included a key supplier to London Hospitals and Royal Mail, with devastating impacts on the public.

The Home Office-led consultation will consider three proposals:

  1. A targeted ban on ransomware payments for all public sector bodies and critical national infrastructure – expanding the existing ban on ransomware payments by government departments, and making the essential services unattractive targets for ransomware crime.
  2. A ransomware payment prevention regime – increasing the National Crime Agency’s (NCA) awareness of live attacks and criminal ransom demands, providing victims with advice and guidance before they decide how to respond, and enabling payments to known criminal groups and sanctioned entities to be blocked.
  3. A mandatory reporting regime for ransomware incidents – maximising the intelligence used by UK law enforcement agencies to warn of emerging ransomware threats, and target their investigations on the most prolific and damaging organised ransomware groups.

The NCSC managed 430 cyber incidents between September 2023 and August 2024, including 13 ransomware incidents which were deemed to be nationally significant and posed serious harm to essential services or the wider economy. Reporting to the NCA indicates the number of UK victims appearing on ransomware data leak sites has also doubled since 2022.

Cybersecurity industry reacts to proposals

Tom Kidwell, a former British Army and UK Government intelligence specialist, and co-founder of Ecliptic Dynamics, said the proposals are a case of legislation catching up with real world developments.

“Existing laws being used to enforce a crime that wasn’t in existence when the original legislation was created. If you suffer an ransomware attack, and personal data isn’t affected by the ransomware do you have to report the incident as a breach? If so, organisations could, although I wouldn’t agree with this, potentially argue it’s not a breach which requires reporting to the ICO – this is the grey area which currently exists.

“Legally you cannot send funds to sanctioned individuals or organisations. The UK Government is sanctioning cyber criminals and organisations, and in some cases these entities may already be on a list, such as a sanctioned country. So the grey area here is, it’s not ‘illegal’ to make a ransomware payment, but it is illegal to send funds to designated sanctioned entities. The problem is that, in reality, most people have no idea who the real people behind a ransomware attack are, so how do you know if the attack group is on one of these sanctioned lists?”

Kidwell sees the proposals a positive that “would remove the ambiguity on what is legally required around a ransomware attack.”

Meanwhile, Jochen Michels, the European head of public affairs at Kaspersky, argues that though paying ransoms perpetuate the cycle of crime, there a numerous no-win scenarios which require government support, including financial assistance for recovery, and access to decryption tools.

“In certain high-stakes scenarios, the decision to pay or not to pay becomes far more complex,” he said. “Take the example of an oil tanker: refusing to pay could lead to catastrophic environmental damage if operations are disrupted or a spill occurs, which would be more costly than the ransom itself. Similarly, in the healthcare sector, a ransomware attack on a hospital could delay critical patient care, with lives potentially at stake.

“It is understandable that organisations may feel compelled to pay, even if it conflicts with broader principles, to prevent significant harm. This highlights the urgent need for government safeguards to support victims who face no-win situations. Such measures could include financial assistance for recovery efforts, access to decryption tools, or even indemnities in cases where paying the ransom is deemed the only viable option. Governments must provide a clear framework for navigating these complex decisions while working toward stronger preventive measures and international cooperation to disrupt the ransomware ecosystem.”

Elsewhere, Christian Borst, EMEA CTO at Vectra AI, said organisations need to eliminate security blind spots to meet the proposed requirements, as cybercriminals are increasingly multi-surface attacks to infect victims with ransomware. 

“Enterprises need to eliminate security blind spots and understand their exposure to multi-surface attacks,” he said. “This means improving extended detection and response capabilities and using AI to boost cyber capabilities and increase understanding their exposure to attacks – including third-party services and suppliers.”

Event Logo

If you are interested in this article, why not register to attend our Think Digital Identity and Cybersecurity for Government conference, where digital leaders tackle the most pressing issues facing government today.


Register Now